# |
Jun 21st 2021, 12:22 |
a.vanniel |
What I don't really get, but there might some logic to this, is why the Google website counts as an existing route....? |
# |
Jun 21st 2021, 12:17 |
a.vanniel |
would normalize be able to help me out here? |
# |
Jun 21st 2021, 12:16 |
slackebot1 |
would like to prevent manipulation of the redirect param so that someone is not redirected anywhere externally after payment is done and after a user is coming back... the url is stored in the database for several reasons, one of which is because the payment provider is a pain in the behind about return urls. |
# |
Jun 21st 2021, 12:16 |
a.vanniel |
it's not that I would want this to be added to the middleware per se... it was more of a thing that I am using similar logic (redirect param) and after doing the thing, redirect the user to the redirect param and when I looked at the Authentication middleware I did not see any security in place to prevent someone/something from redirecting someone to something externally after a login... I am doing this after a payment and I |
# |
Jun 21st 2021, 12:11 |
kevin.pfeifer |
we could make that a configurable option |
# |
Jun 21st 2021, 12:11 |
kevin.pfeifer |
then that would have to be added to this function i guess https://github.com/cakephp/authentication/blob/de989c759937406f514a5a31313b36578005b07c/src/AuthenticationService.php#L360 |
# |
Jun 21st 2021, 12:09 |
a.vanniel |
maybe I am just making things more complex than need be but it feels like a securiy hole in the location I have this ?redirect= param... |
# |
Jun 21st 2021, 12:08 |
a.vanniel |
but that is when a user is about to or just has been redirected, right? |
# |
Jun 21st 2021, 12:07 |
kevin.pfeifer |
you could use https://github.com/cakephp/cakephp/blob/master/src/Routing/Router.php#L225 and catch the MissingRouteException |
# |
Jun 21st 2021, 12:07 |
a.vanniel |
alright... thing is that with the Authentication middleware, relative redirects are used, to make sure the param does not get too large I guess... |
# |
Jun 21st 2021, 12:06 |
a.vanniel |
I thought I'd take a look at Router::routeExists() but that actually returns true for external URLs. ... |
# |
Jun 21st 2021, 12:06 |
kevin.pfeifer |
to be fair, all the redirect param logic I know always uses absolute urls |
# |
Jun 21st 2021, 12:04 |
kevin.pfeifer |
well if you force your redirect param to be absoulte all the time then you can check that pretty easily with a parse_url |
# |
Jun 21st 2021, 11:59 |
a.vanniel |
I though I would check how the Authentication middleware handles this... but when you open a login screen, change the ?redirect= to something else and log in, you are then redirected to the external page I entered in ?redirect=... I had expected this would really force redirect to be local/matching route but it doesn't |
# |
Jun 21st 2021, 11:57 |
a.vanniel |
the latter might not work when a relative path unless the Router first qualifies the use given url ofcourse |
# |
Jun 21st 2021, 11:57 |
slackebot1 |
matches a route" and the "check for host" method... |
# |
Jun 21st 2021, 11:57 |
a.vanniel |
Basically I want to prevent someone (or something) from entering https://www.google.com in the ?redirect= , so that when they would hit refresh and after the form has been posted they would not be transported to https://www.google.com ... and where this google url is set, any other malicious url could be set and you could replace the user by any malicious script I guess. So I am conflicted between the "check if the url |
# |
Jun 21st 2021, 11:53 |
kevin.pfeifer |
so you want to know if a given URL matches any route in your app? Or are you happy if you check the host part of the url? |
# |
Jun 21st 2021, 11:47 |
slackebot1 |
or /pages/display/home to be returned. Is this as all possible? |
# |
Jun 21st 2021, 11:47 |
a.vanniel |
Does anybody know if there is a way to filter a user supplied url? Basically what I would like to do is populate a query variable and I want to sanitize this variable so it does not contain an external url... I thought passing something to Router::url() would solve my problems but when I pass somethign like https://www.google.com to Router::url() I am just getting the same url back, instead I would have liked something like / |
# |
Jun 21st 2021, 10:19 |
kevin.pfeifer |
@alamnaryab what are you trying to accomplish with that logic? As far as I know the `$connection->rollback();` only works for manually executed queries like ```$connection->execute('UPDATE articles SET published = ? WHERE id = ?', [true, 2]);``` If you go through the ORM with `$connection->Tags->save($tag)` you can’t rollback from that. But again, what are you trying to accomplish? |
# |
Jun 21st 2021, 09:16 |
kupe3b |
thansk @erwane |
# |
Jun 21st 2021, 07:59 |
erwane |
https://book.cakephp.org/4/en/views/helpers/form.html#creating-select-pickers |
# |
Jun 21st 2021, 07:59 |
erwane |
so `<?= $this->Form->control('fieldname', ['multiple' => 'checkbox', 'options' => $selectOptions]) ?>` |
# |
Jun 21st 2021, 07:58 |
erwane |
```Attributes for Select Pickers 'multiple' - If set to true allows multiple selections in the select picker. If set to 'checkbox', multiple checkboxes will be created instead. Defaults to null.``` |
# |
Jun 21st 2021, 07:38 |
kupe3b |
hello, when baking views, in many-to-many relations a <select> tag is generated with multi-selection enabled. Is there an easy way to make it generate list of checkboxes instead? |
# |
Jun 21st 2021, 06:43 |
erwane |
`displayField` ? |
# |
Jun 21st 2021, 06:40 |
paolo.bragagni |
hi I'm trying to get in form.twig the name of the 'title' in associated table. I mean the name of the default field used for 'title'. |
# |
Jun 21st 2021, 06:01 |
slackebot1 |
$connection->rollback();//*********** this rollback is not working record is saved in DB $this->Flash->success(__('The tag has been saved.')); return $this->redirect(['action' => 'index']); } $this->Flash->error(__('The tag could not be saved. Please, try again.')); }``` |
# |
Jun 21st 2021, 06:01 |
alamnaryab |
Good morning having issue with transactions https://book.cakephp.org/4/en/orm/database-basics.html#using-transactions ``` if ($this->request->is('post')) { $connection = ConnectionManager::get('default'); $connection->begin(); $tag = $connection->Tags->patchEntity($tag, $this->request->getData()); if ($connection->Tags->save($tag)) { |
# |
Jun 20th 2021, 17:13 |
ndm |
you're welcome |
# |
Jun 20th 2021, 17:13 |
amayer |
Thanks for pointing me down the right path @ndm! |
# |
Jun 20th 2021, 17:12 |
amayer |
Looks like `$config = ConnectionManager::getConfig('default'));` is what I was looking for! |
# |
Jun 20th 2021, 17:00 |
amayer |
I'll give the ConnectionManager thing a try. |
# |
Jun 20th 2021, 16:59 |
ndm |
well there you go :) |
# |
Jun 20th 2021, 16:59 |
ndm |
Some configuration is "consumed", meaning it is being removed from the config after reading, and then it's only available via the consumers, in your case the connections. Try `\Cake\DataSource\ConnectionManager::get('default')->getConfig()` |
# |
Jun 20th 2021, 16:59 |
amayer |
I may have found the issue... Looks like `Datasources` is being consumed in config/bootstrap.php |
# |
Jun 20th 2021, 16:50 |
amayer |
Hello, I am writing a plugin (composer package) and would like to retrieve the `Datasources.default` settings using `\Cake\Core\Configure::read()`, but it doesn't seem to have a value. All other settings in my config/app_local.php (main application, cakephp 4.2.7) seem to be there. Is there a reason I can't access `Datasources.default` from a plugin? |
# |
Jun 20th 2021, 13:14 |
ndm |
As you've done it in your snippet would be one way, it should work fine for date/time objects that are being casted to string. But as mentioned, your output looks like the default JSON encode format, the default to string format is i18n aware, and will never give you the format that's shown in your output. |
# |
Jun 20th 2021, 13:12 |
alamnaryab |
I need one format that is `yyyy-MM-dd HH:mm:ss` for any Language/Locale all the users are in same timezone, where and how can I set? |
# |
Jun 20th 2021, 13:10 |
ndm |
Indeed, it depends. If he'd need all output in the same format, then setting a default to string format could work just fine. But that's different from timezone conversions, the to string logic isn't aware of timezones, only of formats. All that being said, his snippet should have worked fine, so there must be something else to it. That example output looks like the default JSON encode format. |